According to RHEV documentation and http://www.ovirt.org/Features/PKI I have changed apache-ca.pem and apache.{p12,key,cer} with my own certificate that was signed by proper CA (it is not self-signed).
Now, I don't know how to configure oVirt (3.4) to return my CA certificate for the /ca.crt URLs. Foreman project (and Satellite 6 product) as well as rbovirt client library does use /ca.crt file for initial CA certificate download. It looks like currently oVirt only returns the server's certificate and there is no way of providing my own CA file (which is a separate file apparently).
Please document how to reconfigure oVirt to do this.
Also http://www.ovirt.org/Features/PKI should be improved with more information how to swap certificates (I had to follow RHEV guide to do this).
If this is not possible, please create a feature request for this as Foreman/Satellite 6 depend on this feature.
Many thanks!

After some chat with mskrivanek it looks like this is hardcoded and can't be changed. Well, this is highly confusing, the URL should be /server.crt and not /ca.crt.
The proper fix would be to serve the file via httpd allowing users to override this more easily. Please consider renaming /ca.crt to /server.crt (by default symlinking it to the same file) and changing the default configuration so Apache2 httpd serves these files instead of Java application.
WORKAROUND:
Put your proper CA file to /var/www/htdocs and remove the proxy for the /ca.crt url:
cp your_ca.crt /var/www/html/ca.crt
(optionally relabel the file)
sed -iE 's/ca.crt$|//' /etc/httpd/conf.d/z-ovirt-engine-proxy.conf

This is an automated message.
This Bugzilla report has been opened on a version which is not maintained anymore.
Please check if this bug is still relevant in oVirt 3.5.4.
If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution)
If it's an RFE please update the version to 4.0 if still relevant.

(In reply to Yaniv Kaul from comment #6)
> If you've used your own CA, why do you need oVirt to provide you the CA
> certificate?
Because some tools expect to get it so that they can "verify" the connection. See e.g. bug 1059952.

Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.